PrivacyCon 2019 session 1 ANDREA ARIAS: Here at the Federal Trade Commission. I’m happy to welcome you to our fourth— that’s right. —fourth PrivacyCon today. We’re happy to see so many of you here today. My name is Andi Arias, and I’m an attorney in the division of Privacy and Identity Protection here at the commission. My co-organizer for today’s event is Jamie Hine, also from the division of Privacy and Identity Protection. Before we get started with our substantive program I need to review a few administrative things. First of all, please, please, please silence your mobile phones and other electronic devices. If you must use them during the workshop, please be respectful of the speakers and your fellow audience members. Please be aware that if you leave the Constitution Center for any reason whatsoever, you will have to go back through security screening again. Please bear this in mind and plan ahead, especially if you’re participating on a panel so we can do our best to remain on schedule today. I’ve been asked to emphasize the next point, so please listen closely. Most of you received the lanyard today with a plastic FTC security badge. We reuse these for multiple events, so when you leave for the day please return your badge to security. If an emergency occurs in the building that requires you to just leave the conference room, but not the entire building, please follow the instructions provided over the PA system. If an emergency occurs that requires you to evacuate the entire building, an alarm will sound. Everyone should leave the building in an orderly manner through the main 7th Street exit, 7th Street exit. After leaving the building, turn left, and proceed down 7th Street across E Street to the FTC emergency assembly area. There’ll be people there with the right documentation showing you. Remain there until instructed to return to the building. The restrooms are located in the hallway right outside this auditorium. The Plaza East cafeteria is located inside the building. So you can go without having to go through security again. It is open until 3:00 PM, and I’ve been told that’s a hard stop. So please be mindful and plan ahead. Please remember, however, that no food or drink other than water is permitted in the auditorium. We will be leaving time for audience questions during each of the panels today. For those of you in the room, if you’d like to ask a question during a panel, raise your hand and one of our colleagues will hand you a comment card to bring up to us. For those of you participating via webcast, hi, everyone out there. FTC staff will be live tweeting today’s workshop at #privacycon19. So if you would like to ask a question via Twitter, please tweet your questions using @FTC and #privacycon19. Please understand that we may not be able to get to all of the questions. Please be advised that today’s event may be photographed and it is being webcast and recorded. By participating in this event, you are agreeing that your image and anything you say or submit may be posted indefinitely at ftc.gov or on one of the Commissioners’ publicly available social media sites. We’re happy to welcome those watching via the webcast. We will make the webcast and all of the workshop materials available online to create a lasting record for everyone interested in these issues. Lastly, I want to say thank you to our researchers and panelists for taking part today. We’re grateful for your time and work in the privacy and security area. Aside from the folks that you’ll be seeing on stage today, this program would not be possible without the great work done by many of our FTC colleagues. Please indulge me in letting them thank them for a few minutes. We want to thank our colleagues that assisted us in reviewing all of the research submissions including Dan Salsburg, Lerone Banks, Tina Young, Phoebe Rouge, James Thomas, Yan Lau, and Ryan Meem; and those moderating panels today, including Marc Eichorn, James Thomas, and Yan Lau. Finally, this conference would not be possible without the help of Crystal Peters, Arisa Henderson, and Bruce Jennings. Alongside our paralegal support today from Soojin Jeong, Ryan Sullivan, Ashley Knott, Patrick Curtain, Tyria Bunche, Courtney Butterworth, and Emily Liu; and support from Leslie Fair and June Chang from our Division of Consumer and Business Education and Nicole Jones from our Office of Public Affairs. Thank you all. Now it is my distinct honor and pleasure to welcome the Chairman of the Federal Trade Commission, Joseph Simons. [APPLAUSE] JOSEPH SIMONS: Well, good morning, everyone, and welcome to PrivacyCon 2019. During my first stint at the FTC— I’m in my third now. My first stint was back in the 1980s, way back in the 1980s. Personal computers were just being introduced into offices and homes. No one imagined that we would be soon carrying them in our pockets, speaking commands to them, or using other devices to track our fitness regimes, unlock our doors, and control our thermostats. I can remember back when I was a young associate in a law firm just out of law school, Compaq came out with a computer that they referred to as portable. It weighed about 40 pounds. What a difference. Few of us then envision the advances in technology we would experience in our lifetimes and the effect they would have on our everyday lives. Even fewer of us had the foresight to recognize the commodity unifying these technological advances – our data. When consumers engage digitally, companies collect information about their choices, experiences, and individual characteristics. Every day, companies make countless decisions based on our likes and our dislikes, our relationships and conversations, our transactions and our purchases. They carefully assemble, synthesize, trade, and sell these small bits of data, providing insights into market wide tastes and emerging trends, allowing for their prediction of individualized preferences. No doubt this vast amalgamation of data has allowed for great technological advances, but it also comes with risk. News stories highlight troubling privacy and data security practices on a regular basis, whether it’s allegations of using facial recognition technologies and images without users consent, breaches that expose health data, or sharing genetic data beyond consumers’ expectations. These types of privacy and data security failures don’t just generate headlines. They can cause real harms, including fraudulent charges on credit cards, safety risks, reputational injury, and unwarranted intrusions into people’s homes and the intimate details of their lives. In part, to examine these types of incidents and the injuries associated with them, we hosted our first PrivacyCon back in 2016. Since then, PrivacyCon has been an annual event that has enabled us to advance our consumer protection mission in multiple ways. It has allowed the FTC to stay up to date with emerging technologies. It has helped us identify potential areas for enforcement and to fashion our remedies in better ways, and it has highlighted areas in which we can provide additional business and consumer education. This is my first PrivacyCon as Chairman. And as you undertake your discussions today, I thought it would be useful to hear about some of the FTCs current priorities on privacy and data security. First and foremost is vigorous enforcement. Where we have statutory authority, we use it to the full extent. In the past year we bought privacy and security cases under the laws we enforce. And in the limited areas where we have civil penalty authority, we have used it aggressively and we expect more in the future. In February, we announced our highest penalty in the children’s privacy case against TikTok, which is a popular video social networking app. Last fall we obtained a $3 million civil penalty under the Fair Credit Reporting Act against the company whose automated decision making tool provided inaccurate data to property managers resulting in denial of housing. Second, I’ve been very focused on improving our non-monetary remedies in privacy and security cases in order to provide better deterrence. As part of our hearings on competition and consumer protection in the 21st century, we hosted a data security hearing which included a panel specifically focused on the FTCs data security enforcement. Partly in response to feedback that we received during the panel, we have incorporated new provisions into our data security orders. For example, in three recent cases we required that senior officers provide annual certifications of order compliance to the Commission, thus improving individual accountability. While we continue to require that companies implement a comprehensive process based data security program, in our most recent case we also included specific requirements that the company conduct yearly employee training, monitor its systems for data security incidents, and implement access controls. We’ve also made significant changes to improve the accountability of the third party assessors that review the company’s data security programs, requiring that the assessor look “under the hood,” rather than relying on the company’s assertions. And also, we’ve created greater oversight of the FTC for the assessor allowing us to hire and fire them. Third, we continue to use all of our non-enforcement tools at our disposal, to further our privacy and data security mission. For example, we have proposed amendments to the safeguards rule, to add more detailed requirements. We have used our authority under 6(b) of the FTC Act to request information from several ISPs to examine how broadband companies collect, retain, use, and disclose information about consumers.